Privacy Policy

Template language — to be reviewed by qualified counsel in your operating jurisdiction before relying on it.

1. Who we are (Controller)

RecovraFlow ("we", "us", "our") operates the chargeback recovery and dispute management platform available at recovraflow.com (the "Service"). For personal data we collect about our website visitors and account holders, we act as the data controller. For personal data our merchant customers upload about their end-customers (e.g., cardholder names, emails, transaction records), we act as a data processor — see our Data Processing Addendum.

Legal entity: [Legal entity name], [registered address], [country of registration], [company number].
Privacy contact: privacy@recovraflow.com

2. Personal data we collect

• Account data: name, work email, company, password hash, role, profile info you provide.
• Merchant dispute data (processed on your behalf): transaction details, customer names and emails, order IDs, supporting evidence files you upload, and dispute status from connected payment processors (Stripe, PayPal).
• Billing data: processed by Stripe — we store customer and subscription identifiers, plan, invoice metadata. We do not store full card numbers.
• Integration credentials: API keys / OAuth tokens for connected processors, stored encrypted at rest.
• Usage and device data: pages viewed, actions taken, IP address, browser type, device identifiers, and similar telemetry used to operate, secure, and improve the Service.
• Cookies and similar technologies: see our Cookie Policy.

We do not knowingly collect "sensitive personal information" (as defined under CCPA/CPRA or comparable US state laws) other than account credentials, which we use only for authentication.

3. How and why we use personal data

• To provide, maintain, secure, and improve the Service.
• To authenticate users and prevent fraud, abuse, and unauthorized access.
• To process payments and manage subscriptions.
• To send transactional and service messages (account, security, billing, product changes). Marketing email is sent only with consent where required.
• To comply with legal, tax, accounting, and regulatory obligations.
• To respond to support requests and enforce our Terms.

4. Use of AI / automated processing

We use third-party AI services (currently Google Gemini via the Lovable AI Gateway) to help draft chargeback rebuttal evidence based on data you provide. AI output is suggested text only, requires human review and approval before submission, and is not a decision that produces legal or similarly significant effects on any individual within the meaning of GDPR Article 22 or comparable US state laws. Inputs are not used to train third-party foundation models.

5. Legal bases for processing (EEA, UK, Switzerland)

• Performance of a contract — to deliver the Service you've signed up for.
• Legitimate interests — security, fraud prevention, product analytics, and business operations, balanced against your rights.
• Consent — for non-essential cookies, optional analytics, and marketing communications where required.
• Legal obligation — tax, accounting, lawful requests from authorities.

6. Sharing and disclosure

We share personal data with vetted sub-processors that help us operate the Service (hosting, authentication, payments, AI, email delivery, analytics, support tooling). A current list is published at Sub-processors. We may also disclose data: (a) to comply with law, court order, or government request; (b) to protect rights, safety, and property; and (c) in connection with a merger, acquisition, or sale of assets, subject to confidentiality safeguards.

We do not "sell" personal information as that term is defined under CCPA/CPRA or comparable US state laws, and we do not knowingly "share" personal information for cross-context behavioral advertising.

7. International data transfers

Personal data may be processed in the United States, the European Economic Area, the United Kingdom, and other countries where our sub-processors operate. Where required, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplementary measures.

8. Retention

We retain personal data for as long as your account is active and as needed to provide the Service. After account closure we typically delete or anonymize personal data within 90 days, except where longer retention is required for legal, accounting, tax, fraud-prevention, or dispute-resolution purposes (commonly up to 7 years for financial records).

9. Your rights — EEA, UK, Switzerland

Subject to applicable law you may have the right to access, rectify, delete, restrict, or object to processing, the right to data portability, the right to withdraw consent at any time, and the right to lodge a complaint with your local supervisory authority. You can exercise most rights from your account settings or by emailing privacy@recovraflow.com. We respond within 30 days (extendable by up to 60 days where complex).

10. Your rights — California (CCPA/CPRA)

California residents have the right to:

• Know what personal information we collect, use, disclose, and (if any) sell or share;
• Delete personal information we hold about you;
• Correct inaccurate personal information;
• Opt out of sale or sharing for cross-context behavioral advertising (we do neither);
• Limit use and disclosure of sensitive personal information;
• Non-discrimination for exercising your rights.

Submit requests via privacy@recovraflow.com or your account settings. We will verify your identity before fulfilling. You may use an authorized agent. We do not "sell" or "share" personal information, so no "Do Not Sell or Share My Personal Information" mechanism is required.

11. Your rights — other US states

Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, New Hampshire, Nebraska, Maryland, Minnesota, Rhode Island, Indiana, Tennessee, and Kentucky — have rights similar to those described above (access, deletion, correction, portability, opt out of targeted advertising / profiling / sale). Submit requests to privacy@recovraflow.com.

12. Security and breach notification

We use administrative, technical, and organizational safeguards appropriate to the risk, including encryption in transit and at rest, role-based access control, and audit logging. No system is fully secure; please protect your credentials and enable multi-factor authentication where available. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required (GDPR Article 33) and affected individuals without undue delay.

13. Children

The Service is intended for business use and is not directed to children. We do not knowingly collect personal information from children under 13 (US — COPPA) or under 16 (EEA/UK). If you believe a child has provided us personal information, contact us and we will delete it.

14. Changes

We will post updates to this Policy here and update the "last updated" date. Material changes will be communicated in-product or by email.

15. Contact

Privacy questions, requests, or complaints: privacy@recovraflow.com.